IETF Logo Mail Archive

Re: [v6ops] Implementation Status of PREF64

Owen DeLong <owen@delong.com> Thu, 30 September 2021 07:53 UTC

Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 623703A1706 for <v6ops@ietfa.amsl.com>; Thu, 30 Sep 2021 00:53:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=delong.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZ6dGelPnh6j for <v6ops@ietfa.amsl.com>; Thu, 30 Sep 2021 00:53:41 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id C98013A1704 for <v6ops@ietf.org>; Thu, 30 Sep 2021 00:53:41 -0700 (PDT)
Received: from smtpclient.apple ([IPv6:2620:0:930:0:7062:895a:a29f:1c88]) (authenticated bits=0) by owen.delong.com (8.16.1/8.15.2) with ESMTPSA id 18U7rbvW2997752 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 30 Sep 2021 00:53:38 -0700
DKIM-Filter: OpenDKIM Filter v2.11.0 owen.delong.com 18U7rbvW2997752
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delong.com; s=mail; t=1632988418; bh=gr+KPyYYHNjzGg/b64zyWJeOYIV9Jv+NA2Y+wseYUkA=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=PRJgzi2K8Y5WloX9TnicNmE+t9OTI0KYboQ9BQlmg3nyYN6vEJUpnxWtScZzvYLFj DPcAIB7i659qCpbOZ2PQdz565WnaEKEwq2893DKDoCsBTg0MlAo6yJUNa182E7cPjt PSUt15dQ2dIIDCYnfYDtycPoN3KONTpwd0YrNZhA=
From: Owen DeLong <owen@delong.com>
Message-Id: <CC5C7DAB-378D-4160-BBCE-2C8E2E4C108F@delong.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7DB3B0FD-CD86-4DCE-88DE-C192F5CAB04E"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Thu, 30 Sep 2021 00:53:36 -0700
In-Reply-To: <CAKD1Yr3eqCGCw_ruGSFyPq6t1iezqXpsnNeGcfjT0pV_b8-UTQ@mail.gmail.com>
Cc: Mark Smith <markzzzsmith@gmail.com>, v6ops list <v6ops@ietf.org>
To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
References: <DDA36020-90CC-471B-83AD-3D98950F1164@delong.com> <CAO42Z2wdoSdJDOB2Zo0=ZK0ecOARRsdg2nbHZGSDOhryPbLfDw@mail.gmail.com> <F2BD0A42-E9AD-45DD-999A-638E73BE1177@delong.com> <CAKD1Yr2K3Gd3JD=NJFOoH6GYgs-8ACxRQB9-sKJ7cbF4_hxsow@mail.gmail.com> <0B533C71-5DB0-410D-A5A3-7E8FD559F214@delong.com> <CAKD1Yr3NoYfNT7+OVJoCCdgdif6AHHw29tNCPttS=-NuRZKv3w@mail.gmail.com> <5FAD5290-3616-4194-B783-D473DB38A89A@delong.com> <m1mVGC6-0000HSC@stereo.hq.phicoh.net> <D6620D7C-8FE8-4294-8014-AB18A230C9C7@delong.com> <m1mVItl-0000GuC@stereo.hq.phicoh.net> <YVN6/cA6Ob3vLJQH@Space.Net> <m1mVK32-0000HpC@stereo.hq.phicoh.net> <CAO42Z2zQys6o41+m1iX1Mm88M7CaUdQa1C+uuYqxz2STfcwt_Q@mail.gmail.com> <d2887464-19d7-da09-d6f6-51ddc0e9ca45@foobar.org> <CAO42Z2w=BVoy-EmkM+x=8bVJc8WAcwRyLrdpsOAxu-as3ed6ZQ@mail.gmail.com> <5C6472D8-EA2E-4F4F-9DBD-2484277284F9@delong.com> <CAKD1Yr3eqCGCw_ruGSFyPq6t1iezqXpsnNeGcfjT0pV_b8-UTQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (owen.delong.com [IPv6:2620:0:930:0:0:0:200:2]); Thu, 30 Sep 2021 00:53:38 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/eNC-hlhdOL-kMQnYbvXUoBoB_NA>
Subject: Re: [v6ops] Implementation Status of PREF64
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2021 07:53:47 -0000


> On Sep 30, 2021, at 00:06 , Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org> wrote:
> 
> On Thu, Sep 30, 2021 at 11:16 AM Owen DeLong <owen=40delong.com@dmarc.ietf.org <mailto:40delong.com@dmarc.ietf.org>> wrote:
> Nonetheless, restoring the e2e addressing model and true peer-to-peer networking _IS_, in fact, worth the effort and expense IMHO.
> 
> Owen, I think you need to realize that IPv6 by itself does not provide end-to-end addressing. It only provides end-to-end addressing if sufficient addresses are available, and if it's possible to inform devices of network configuration changes. DHCP as currently managed and deployed is terrible at both those things. Yes, I know it's possible to *sort of* make DHCPv6 do this via reconfigure, multiple DUIDs, etc., but current implementations and operational models do not do this.

It inherently provides E2E address transparency so long as nobody sticks packet header mutilation (i.e. NAT) in the path.

I understand that there are things you don’t like about DHCPv6, but what you aren’t getting here is that no matter how good or bad those things are, they are what some institutions want and they  WILL NOT DEPLOY IPv6 without IA_NA period.

What you want to allow or not on your own network is fine, but you’re a device manufacturer with significant market share. The fact that you’re holding the entire industry hostage to your personal attitudes by telling people what capabilities they can’t have if they want your devices on their network is going to lead to one of two eventualities and neither of them is the one you want…

1. Enterprises will simply continue to stall on IPv6 until there’s android support.
or
2. Enterprises will simply start selling their android users “too bad, so sad, your device won’t work with our network, get something with proper IPv6 support.”

> As for network changes - sure, it's possible to ensure that things don't change, like an enterprise network that uses PI space.

And there are precisely a lot of enterprises in that boat.

> But as for sufficient addresses... as you said yourself in this thread, (some) operators want to use DHCPv6 in order to ensure a single address per device. This will not result in end-to-end connectivity. It will result in the device getting that single address running NAT66 and and and all the other functions inside that device or connected to it getting private IPv6 addresses and non-end-to-end connectivity. We tried to write this down in RFC 7934 sections 3 and 4 <https://datatracker.ietf.org/doc/html/rfc7934#section-3>.

In the networks that choose to implement it that way, so be it. Frankly, for all practical purposes from the outside perspective, that’s still e2e. There aren’t multiple devices behind that device with whatever crazy NAT scheme is going on in the device (which, frankly, makes little sense and won’t really help anything), so since one address identifies the correct device in a transparent manner, that’s most of what most people care about from an E2E perspective.

As to sections 3 and 4 of RFC7934, I’ll answer as follows:

	Privacy addressing is a myth. It really doesn’t prevent tracking, it just moves it up the stack.

	Multiple processors share addresses on lots of systems without NAT, so it’s not clear to me why this doesn’t work
	The current IWLAN spec is here: 24327-c00.zip <https://www.3gpp.org/ftp/Specs/archive/24_series/24.327/24327-c00.zip> btw. Perhaps I’m misunderstanding the spec, but it looks like
	the application processor would mostly be talking through the tunnel using addresses provided for the tunnel
	interior by its home agent. In that case, it’s not really an issue. However, simultaneous attachment and/or
	roaming between MIPv6 and the corporate LAN is considered undesirable by a number of enterprise security
	departments, so disabling this functionality isn’t exactly viewed as a bad thing in the very cases we are
	discussing.

	For tethering, I think we can all agree that IA_PD is preferable. The handset is a router at that point.

	Most enterprises aren’t wild about supporting random hypervisors they don’t control, so again, disabling
	this capability is viewed as a feature, not a bug in those environments.

	Enterprises that are deploying DHCPv6 are most likely to run dual stack. I think that the tradeoff of
	either DHCPv6 IA_NA single address _OR_ 464XLAT is one administrators can make an informed
	decision about on a network by network basis.

	ILA is a draft which expired in 2017.

	I think that administrators can make an informed decision between whether or not they wish to support
	things like TARP or per-application IPv6 addresses. I don’t think an equipment vendor should be making that
	decision for them.

	DHCPv6 PD is widely available and 3GPP release 10+ is sufficiently widely deployed that I think this concern
	is obsolete.

For section 4:

	These may be valid tradeoffs, but they’re choices that the network administrator should make,
	not something where an equipment vendor should substitute their judgment for the network administrator’s.

	The added latency for provisioning an address via DHCP vs. SLAAC is almost zero and in some cases,
	DHCPv6 can be faster due to the lack of need for DAD.

	In general, the provisioning operation in question will occur at network attachment time anyway and in
	the environments where this is a concern, a self-assigned address isn’t going to get anywhere until the
	provisioning function completes anyway. As such, this doesn’t really provide any additional problems.

	We deal with failures of DHCP in dhcpv4 today and there’s the same challenge if you don’t get an RA
	in response to your RS or if DAD fails too many times or… The alleged increase in complexity is a stretch
	at best.

	The goals of the concluding paragraph of section 4 are laudable, but they ignore some of the other
	reasons that many enterprise networks want to have greater control and accountability on addressing
	that can be achieved with SLAAC, RFC4941, etc.

	It also ignores the possibility of providing additional host configuration information and/or requirements
	via DHCP options that simply cannot be achieved with SLAAC.


> So again: if all we're getting from the transition to IPv6 is 128-bit IPv4 with NAT, then why bother?

Because we need more addresses and it won’t be 128-bit IPv4 with NAT in reality.

In IPv4 with NAT, a single address identifies god-only-knows how many hosts.

At the worst in the scenario you describe, that would only be true with tethering where IA_PD was not
supported, which should be mostly rare. For all other situations, even if there is NAT, it still only identifies
a single physical host, even if there are VMs behind the NAT (and hopefully there aren’t because chances
are that if the network administrators wanted to allow handsets running hypervisors on their WLAN, they’d
be issuing multiple addresses to the handset).

Bottom line, the potential harms described in RFC-7934 are vastly outweighed by the harms of the
deployment delays being caused by android’s lack of IA_NA support.

Further bottom line, appeasing the environments that want this will not cause the vast majority
of other environments to suddenly run DHCPv6 in preference to SLAAC. Where SLAAC meets the
need, nobody is going to go to the trouble of implementing a DHCPv6 server.

Owen

v2.23.0 | Report a Bug | By Email